Skip to content
Permalink
Browse files Browse the repository at this point in the history
nla: invalidate sec handle after creation
If sec pointer isn't invalidated after creation it is not possible
to check if the upper and lower pointers are valid.

This fixes a segfault in the server part if the client disconnects before
the authentication was finished.
  • Loading branch information
bmiklautz committed Jul 1, 2013
1 parent 87e9a24 commit 0773bb9
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 3 deletions.
1 change: 1 addition & 0 deletions libfreerdp/core/nla.c
Expand Up @@ -1245,6 +1245,7 @@ rdpCredssp* credssp_new(freerdp* instance, rdpTransport* transport, rdpSettings*
ZeroMemory(&credssp->negoToken, sizeof(SecBuffer));
ZeroMemory(&credssp->pubKeyAuth, sizeof(SecBuffer));
ZeroMemory(&credssp->authInfo, sizeof(SecBuffer));
SecInvalidateHandle(&credssp->context);

if (credssp->server)
{
Expand Down
1 change: 1 addition & 0 deletions libfreerdp/core/peer.c
Expand Up @@ -272,6 +272,7 @@ static int peer_recv_callback(rdpTransport* transport, wStream* s, void* extra)
sspi_CopyAuthIdentity(&client->identity, &(rdp->nego->transport->credssp->identity));
IFCALLRET(client->Logon, client->authenticated, client, &client->identity, TRUE);
credssp_free(rdp->nego->transport->credssp);
rdp->nego->transport->credssp = NULL;
}
else
{
Expand Down
2 changes: 2 additions & 0 deletions libfreerdp/core/transport.c
Expand Up @@ -159,6 +159,7 @@ BOOL transport_connect_nla(rdpTransport* transport)
"If credentials are valid, the NTLMSSP implementation may be to blame.\n");

credssp_free(transport->credssp);
transport->credssp = NULL;
return FALSE;
}

Expand Down Expand Up @@ -292,6 +293,7 @@ BOOL transport_accept_nla(rdpTransport* transport)
{
fprintf(stderr, "client authentication failure\n");
credssp_free(transport->credssp);
transport->credssp = NULL;
return FALSE;
}

Expand Down
6 changes: 3 additions & 3 deletions winpr/libwinpr/sspi/sspi.c
Expand Up @@ -248,7 +248,7 @@ void* sspi_SecureHandleGetLowerPointer(SecHandle* handle)
{
void* pointer;

if (!handle)
if (!handle || !SecIsValidHandle(handle))
return NULL;

pointer = (void*) ~((size_t) handle->dwLower);
Expand All @@ -268,7 +268,7 @@ void* sspi_SecureHandleGetUpperPointer(SecHandle* handle)
{
void* pointer;

if (!handle)
if (!handle || !SecIsValidHandle(handle))
return NULL;

pointer = (void*) ~((size_t) handle->dwUpper);
Expand Down Expand Up @@ -839,7 +839,7 @@ SECURITY_STATUS SEC_ENTRY CompleteAuthToken(PCtxtHandle phContext, PSecBufferDes

SECURITY_STATUS SEC_ENTRY DeleteSecurityContext(PCtxtHandle phContext)
{
char* Name;
char* Name = NULL;
SECURITY_STATUS status;
SecurityFunctionTableA* table;

Expand Down

0 comments on commit 0773bb9

Please sign in to comment.